summaryrefslogtreecommitdiff
path: root/content
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2021-07-20 10:17:19 +0200
committerWojtek Kosior <koszko@koszko.org>2021-07-20 10:17:19 +0200
commit0c7c1ebddab49e1e0b1ad4cc4c8fcdeedd220946 (patch)
tree1afd10275310177cf28991ad021cfb74e4add9f3 /content
parent1789f17466847d731d0bafa67b6d76526ca32b1d (diff)
parentecb787046271de708b94da70240713e725299d86 (diff)
downloadbrowser-extension-0c7c1ebddab49e1e0b1ad4cc4c8fcdeedd220946.tar.gz
browser-extension-0c7c1ebddab49e1e0b1ad4cc4c8fcdeedd220946.zip
Merge commit 'ecb787046271de708b94da70240713e725299d86'
Diffstat (limited to 'content')
-rw-r--r--content/freezer.js2
-rw-r--r--content/main.js73
-rw-r--r--content/page_actions.js5
3 files changed, 27 insertions, 53 deletions
diff --git a/content/freezer.js b/content/freezer.js
index 8e543a6..9dbc95e 100644
--- a/content/freezer.js
+++ b/content/freezer.js
@@ -49,7 +49,7 @@ function mozilla_suppress_scripts(e) {
console.log('Script suppressor has detached.');
return;
}
- else if (e.isTrusted) { // Prevent blocking of injected scripts
+ if (e.isTrusted && !e.target._hachette_payload) {
e.preventDefault();
console.log('Suppressed script', e.target);
}
diff --git a/content/main.js b/content/main.js
index b044c82..af8cd7c 100644
--- a/content/main.js
+++ b/content/main.js
@@ -8,7 +8,6 @@
/*
* IMPORTS_START
- * IMPORT CONNECTION_TYPE
* IMPORT handle_page_actions
* IMPORT url_item
* IMPORT url_extract_target
@@ -18,7 +17,6 @@
* IMPORT is_privileged_url
* IMPORT sanitize_attributes
* IMPORT mozilla_suppress_scripts
- * IMPORT browser
* IMPORT is_chrome
* IMPORT is_mozilla
* IMPORT start_activity_info_server
@@ -28,39 +26,15 @@
/*
* Due to some technical limitations the chosen method of whitelisting sites
* is to smuggle whitelist indicator in page's url as a "magical" string
- * after '#'. Right now this is not needed in HTTP(s) pages where native
- * script blocking happens through CSP header injection but is needed for
- * protocols like ftp:// and file://.
+ * after '#'. Right now this is only supplemental in HTTP(s) pages where
+ * blocking of native scripts also happens through CSP header injection but is
+ * necessary for protocols like ftp:// and file://.
*
* The code that actually injects the magical string into ftp:// and file://
* urls has not yet been added to the extension.
*/
-let url = url_item(document.URL);
-let unique = gen_unique(url);
-
-
-function is_http()
-{
- return !!/^https?:\/\//i.exec(document.URL);
-}
-
-function is_whitelisted()
-{
- const parsed_url = url_extract_target(document.URL);
-
- if (parsed_url.target !== undefined &&
- parsed_url.target === '#' + unique) {
- if (parsed_url.target2 !== undefined)
- window.location.href = parsed_url.base_url + parsed_url.target2;
- else
- history.replaceState(null, "", parsed_url.base_url);
-
- return true;
- }
-
- return false;
-}
+var nonce = undefined;
function handle_mutation(mutations, observer)
{
@@ -85,9 +59,8 @@ function block_nodes_recursively(node)
function block_node(node)
{
/*
- * Modifying <script> element doesn't always prevent its
- * execution in some Mozilla browsers. Additional blocking
- * through CSP meta tag injection is required.
+ * Modifying <script> element doesn't always prevent its execution in some
+ * Mozilla browsers. This is Chromium-specific code.
*/
if (node.tagName === "SCRIPT") {
block_script(node);
@@ -126,24 +99,20 @@ function inject_csp(head)
}
if (!is_privileged_url(document.URL)) {
- start_activity_info_server();
- var nonce, port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS});
-
- if (is_http()) {
- /* rely on CSP injected through webRequest, at the cost of having to fetch a nonce via messaging */
- const nonce_capturer = msg => {
- port.onMessage.removeListener(nonce_capturer);
- handle_page_actions(msg[1], port);
- };
-
- port.onMessage.addListener(nonce_capturer);
-
- } else if (is_whitelisted()) {
- /* do not block scripts at all; as a result, there is no need for a green-lighted nonce */
- handle_page_actions(null, port);
- } else {
- nonce = gen_nonce();
- handle_page_actions(nonce, port);
+ const targets = url_extract_target(document.URL);
+ if (targets.policy) {
+ if (targets.target2)
+ window.location.href = targets.base_url + targets.target2;
+ else
+ history.replaceState(null, "", targets.base_url);
+ }
+
+ const policy = targets.current ? targets.policy : {};
+
+ nonce = policy.nonce || gen_nonce();
+ handle_page_actions(nonce);
+
+ if (!policy.allow) {
block_nodes_recursively(document.documentElement);
if (is_chrome) {
@@ -158,4 +127,6 @@ if (!is_privileged_url(document.URL)) {
if (is_mozilla)
addEventListener('beforescriptexecute', mozilla_suppress_scripts, true);
}
+
+ start_activity_info_server();
}
diff --git a/content/page_actions.js b/content/page_actions.js
index dff5f71..75cc4d9 100644
--- a/content/page_actions.js
+++ b/content/page_actions.js
@@ -7,6 +7,7 @@
/*
* IMPORTS_START
+ * IMPORT CONNECTION_TYPE
* IMPORT browser
* IMPORT report_script
* IMPORT report_settings
@@ -49,13 +50,15 @@ function add_script(script_text)
let script = document.createElement("script");
script.textContent = script_text;
script.setAttribute("nonce", nonce);
+ script._hachette_payload = true;
document.body.appendChild(script);
report_script(script_text);
}
-function handle_page_actions(script_nonce, port) { // Add port as an argument so we can "pre-receive" a nonce in main.js
+function handle_page_actions(script_nonce) {
document.addEventListener("DOMContentLoaded", document_loaded);
+ port = browser.runtime.connect({name : CONNECTION_TYPE.PAGE_ACTIONS});
port.onMessage.addListener(handle_message);
port.postMessage({url: document.URL});